httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject Re: [users@httpd] apache as non-root
Date Thu, 08 Nov 2007 13:55:44 GMT
On Nov 8, 2007 7:11 AM, Axel-Stephane  SMORGRAV
<Axel-Stephane.SMORGRAV@europe.adp.com> wrote:
> I think you would need to elaborate on that statement. Frankly I can see a few differences,
but I am not sure whether those are what you were thinking about. Apache also does a chuid/chgid
effectively changing the UID/GID of the process to something which is hopefully not privileged.
>
> Whether Apache is started with sudo or is suid root, anyone able start an Apache instance
with the configuration of his/her choice can do bad things on the server.

No, if apache is started with normal user privileges, it can't do harm
beyond the privileges of that user. By setting apache suid root,
anyone on your system can obtain complete root access by using the -f
flag to specify a config file. (I won't give specifics of what you
need to put in the config file, but it is quite easy for anyone with
some apache knowledge.)

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message